Fuzzbuzz Security Policy

Data Center & Network Security

Fuzzbuzz hosts its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an
extensive list of compliance and regulatory assurances, including SOC 13, and
ISO 27001. See Amazon's compliance and security
documents for more detailed information.

Fuzzing workloads are distributed across a multi-cloud network of virtual machines, which are hosted by
Amazon Web Services, Google Cloud Services, or Digital Ocean. Their respective security and compliance
documents can be viewed here:

All of Fuzzbuzz's servers are located within Fuzzbuzz's own virtual private cloud, and don't allow
external connections from untrusted sources. Our software infrastructure is updated regularly with the
latest security patches.

Data Security

All connections to Fuzzbuzz are encrypted using SSL, and any attempt to connect over HTTP is redirected
to HTTPS.

All customer data is encrypted in transit with either TLS or HTTPS, and sensitive data such as deploy
keys for source control tools is encrypted at rest.

All billing information, including credit card numbers and addresses, are processed by Stripe, and
never touch our servers at all. View Stripe's
Security Policy for more information.

Source Code Security

Communication with your VCS to access source code is always encrypted over the wire using SSH and/or
HTTPS.

Fuzzbuzz runs all builds and fuzzing jobs in isolated, single-tenant virtual machines that are
destroyed when they are no longer in use.

Source code is always encrypted via TLS and SSH in transit. Source code pulled from version control
systems is deleted as soon as it is no longer needed, and is never backed up. Source code uploaded to
Fuzzbuzz via a zip file is encrypted at rest.

Have a security concern about Fuzzbuzz?

Please let us know if you have found a vulnerability in Fuzzbuzz, or if you have any concerns, by
sending us an email at security@fuzzbuzz.io.